一、Saltstack的基本概述
SaltStack是一个异构平台基础设施管理工具,具有远程执行、配置管理、云管理, 只需要花费数分钟即可运行起来,扩展性组以支撑管理上万台服务器,速度快,服务器之间秒级通讯数秒钟即可完成数据传递。
1.1、saltstack三大功能
- 远程执行
- 配置管理(状态)
- 云管理
1.2、saltstack四种运行方式
- local本地运行
- master/minion方式
- Syndic分布式
- Salt SSH
1.3、saltstack学习网址
- Saltstack官方文档:https://docs.saltstack.com/en/latest/
- Saltstack github:https://github.com/saltstack
二、saltstack安装
2.1、配置yum源
centos7:yum install -y https://mirrors.aliyun.com/saltstack/yum/redhat/salt-repo-latest-2.el7.noarch.rpm centos6:yum install -y https://repo.saltstack.com/yum/redhat/salt-repo-latest.el6.noarch.rpm sed -i "s/repo.saltstack.com/mirrors.aliyun.com/saltstack/g" /etc/yum.repos.d/salt-latest.repo yum makecache
2.1、安装master并启动服务
[root@salt-master ~]# yum install salt-master -y [root@salt-master ~]# systemctl enable salt-master [root@salt-master ~]# systemctl start salt-master [root@salt-master ~]# rpm -qa|grep salt-master salt-master-2019.2.0-1.el7.noarch [root@salt-master ~]# rpm -ql salt-master /etc/salt/master /etc/salt/master.d /etc/salt/pki/master /usr/bin/salt /usr/bin/salt-cp /usr/bin/salt-key /usr/bin/salt-master /usr/bin/salt-run /usr/bin/salt-unity /usr/lib/systemd/system/salt-master.service /usr/share/man/man1/salt-cp.1.gz /usr/share/man/man1/salt-key.1.gz /usr/share/man/man1/salt-master.1.gz /usr/share/man/man1/salt-run.1.gz /usr/share/man/man1/salt-unity.1.gz /usr/share/man/man1/salt.1.gz /usr/share/man/man7/salt.7.gz
2.3、安装minion指向master的网络地址(主机名或ip地址)
[root@salt-minion1-c7 ~]# yum install salt-minion -y [root@salt-minion1-c7 ~]# sed -i 's/#master: salt/master: 10.0.0.11/g' /etc/salt/minion [root@salt-minion1-c7 ~]# systemctl enable salt-minion [root@salt-minion1-c7 ~]# systemctl start salt-minion #启动发生异常查看日志 /var/log/salt/master /var/log/salt/minion
对于centos6启动:
[root@salt-minion4-c6 yum.repos.d]# /etc/init.d/salt-minion start Starting salt-minion:root:salt-minion4-c6 daemon: OK [root@salt-minion4-c6 yum.repos.d]# chkconfig salt-minion on [root@salt-minion4-c6 yum.repos.d]# chkconfig --list|grep salt salt-minion 0:off 1:off 2:on 3:on 4:on 5:on 6:off
2.4、saltstack的认证方式
Salt的数据传输是通过AES加密,Master和Minion之间在通信之前,需要进行认证。
1)minion在第一次启动时, 会在/etc/salt/pki/minion/下自动生成minion.pem(private key)和minion.pub(public key)然后将minion.pub发送给master
2)master在第一次启动时, 会在/etc/salt/pki/master下自动生成master.pem和master.pub会接收到minion的public key
3)master通过salt-key命令接收minion public key, 则会在master的/etc/salt/pki/master/minions目录下存放以minion id命名的public key同时minion会保存一份master public key在/etc/salt/pki/minion_master.pub
#在minion上查看 [root@salt-minion1-c7 ~]# tree /etc/salt/ /etc/salt/ ├── cloud ├── cloud.conf.d ├── cloud.deploy.d ├── cloud.maps.d ├── cloud.profiles.d ├── cloud.providers.d ├── master ├── master.d ├── minion ├── minion.d ├── minion_id ├── pki │ ├── master │ └── minion │ ├── minion.pem #minion的私钥 │ └── minion.pub #minion的公钥 ├── proxy ├── proxy.d └── roster #在master查看 [root@salt-master ~]# tree /etc/salt/ /etc/salt/ ├── cloud ├── cloud.conf.d ├── cloud.deploy.d ├── cloud.maps.d ├── cloud.profiles.d ├── cloud.providers.d ├── master ├── master.d ├── minion ├── minion.d ├── pki │ ├── master │ │ ├── master.pem │ │ ├── master.pub │ │ ├── minions │ │ ├── minions_autosign │ │ ├── minions_denied │ │ ├── minions_pre #minion传送过来的公钥 │ │ │ ├── salt-minion1-c7 │ │ │ ├── salt-minion2-c7 │ │ │ ├── salt-minion3-c7 │ │ │ └── salt-minion4-c6 │ │ └── minions_rejected │ └── minion ├── proxy ├── proxy.d └── roster 16 directories, 11 files [root@salt-master ~]# cat /etc/salt/pki/master/minions_pre/salt-minion1-c7 -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwWS46MVCSFG/acTB+5t7 q6Y+rCBRwjwg5YmyKhTF1C61U2Uy/ROhQ2kt3fZlx95UzXKDideqR9R7WdK/fQuF E/UUbDh6afDsMq1YgF33cao1HDhdHiwE7V+em4ihuKsMuZGygn5p5ivgKtbLcD7M OVPMijdnYVX2hP5A0ClD2Ed0Ipezw+ubs859Ztyw3TwpW4cXv+U4GXCtfkLfzUJM 5l40IFmdvxUiMnjYuHNxrrVpq5cub2fIMhSTSyoZJaqHc3AJqLnUPzXhTRHLuh1r +ne/bT1iVA3w+XiQC0EM1uwpFo57CRr4dTw6/UAoQWZ0phPEjCFPZSsvWWTWRJNq 4QIDAQAB -----END PUBLIC KEY----- #master通过salt-key认证 [root@salt-master ~]# salt-key -L Accepted Keys: Denied Keys: Unaccepted Keys: salt-minion1-c7 salt-minion2-c7 salt-minion3-c7 salt-minion4-c6 Rejected Keys: [root@salt-master ~]# salt-key -A The following keys are going to be accepted: Unaccepted Keys: salt-minion1-c7 salt-minion2-c7 salt-minion3-c7 salt-minion4-c6 Proceed? [n/Y] Y Key for minion salt-minion1-c7 accepted. Key for minion salt-minion2-c7 accepted. Key for minion salt-minion3-c7 accepted. Key for minion salt-minion4-c6 accepted. [root@salt-master ~]# salt-key -L Accepted Keys: salt-minion1-c7 salt-minion2-c7 salt-minion3-c7 salt-minion4-c6 Denied Keys: Unaccepted Keys: Rejected Keys: #在minion端查看 [root@salt-minion1-c7 ~]# tree /etc/salt/ /etc/salt/ ├── cloud ├── cloud.conf.d ├── cloud.deploy.d ├── cloud.maps.d ├── cloud.profiles.d ├── cloud.providers.d ├── master ├── master.d ├── minion ├── minion.d │ └── _schedule.conf ├── minion_id ├── pki │ ├── master │ └── minion │ ├── minion_master.pub #master的公钥 │ ├── minion.pem │ └── minion.pub ├── proxy ├── proxy.d └── roster #在master上查看 [root@salt-master ~]# tree /etc/salt/ /etc/salt/ ├── cloud ├── cloud.conf.d ├── cloud.deploy.d ├── cloud.maps.d ├── cloud.profiles.d ├── cloud.providers.d ├── master ├── master.d ├── minion ├── minion.d ├── pki │ ├── master │ │ ├── master.pem │ │ ├── master.pub │ │ ├── minions #minion的公钥路径由minions_pre变为minions │ │ │ ├── salt-minion1-c7 │ │ │ ├── salt-minion2-c7 │ │ │ ├── salt-minion3-c7 │ │ │ └── salt-minion4-c6 │ │ ├── minions_autosign │ │ ├── minions_denied │ │ ├── minions_pre │ │ └── minions_rejected │ └── minion ├── proxy ├── proxy.d └── roster
salt-key命令使用
[root@salt-master ~]# salt-key -L Accepted Keys: Denied Keys: Unaccepted Keys: salt-minion1-c7 salt-minion2-c7 salt-minion3-c7 salt-minion4-c6 Rejected Keys: #salt-key的常用参数 -L #查看KEY状态 -A #允许所有 -D #删除所有 -a #认证指定的key -d #删除指定的key(可以重启minion重新认证) -r #注销掉指定key(该状态为未被认证),配置参数--include-accepted,--include-denied #在master端/etc/salt/master配置 auto_accept: True #如果对Minion信任,可以配置master自动接受请求 #添加指定minion的key salt-key -a salt1-minion.example.com -y #添加所有minion的key salt-key -A -y #删除指定的key salt-key -d salt1-minion.example.com -y #删除所有的key salt-key -D -y #拒绝指定minion的key salt-key -r salt-minion4-c6 --include-accepted
三、saltstack远程执行命令
3.1、检测minion是否存活
[root@salt-master ~]# salt '*' test.ping
salt-minion1-c7:
True
salt-minion2-c7:
True
salt-minion3-c7:
True
salt-minion4-c6:
True
[root@salt-master ~]# salt 'salt-minion1-c7' test.ping
salt-minion1-c7:
True
[root@salt-master ~]# salt 'salt-minion?-c7' test.ping
[root@salt-master ~]# salt 'salt-minion*' test.ping
#salt是一个命令
# '*' 表示目标主机,可以指定特定的主机,也可以包含通配符
#test.ping表示一个模块下的方法
3.2、使用cmd.run来远程执行shell命令
[root@salt-master ~]# salt '*' cmd.run 'uptime'
salt-minion4-c6:
04:47:33 up 2:07, 2 users, load average: 0.00, 0.00, 0.00
salt-minion3-c7:
20:48:09 up 2:07, 2 users, load average: 0.00, 0.01, 0.05
salt-minion1-c7:
20:48:09 up 2:07, 2 users, load average: 0.00, 0.01, 0.05
salt-minion2-c7:
20:48:09 up 2:07, 2 users, load average: 0.00, 0.01, 0.05
[root@salt-master ~]# salt 'salt-minion3-c7' cmd.run 'uptime'
salt-minion3-c7:
20:48:20 up 2:07, 2 users, load average: 0.00, 0.01, 0.05
四、saltstack配置管理
saltstack使用yaml格式的状态描述文件,后缀名必须是.sls
4.1、yaml的基本语法
YAML:
1.缩进(层级关系) 2个空格,不能试用Tab。
2.冒号 key: value #中间有空格
3.短横线 - list1
- list2
4.2、设置base环境
[root@salt-master ~]# vim /etc/salt/master
# file_roots: #配置文件示例
# base:
# - /srv/salt/
# dev:
# - /srv/salt/dev/services
# - /srv/salt/dev/states
# prod:
# - /srv/salt/prod/services
# - /srv/salt/prod/states
#
file_roots:
base:
- /srv/salt
[root@salt-master ~]# systemctl restart salt-master.service
4.3、编写yaml配置文件
[root@salt-master ~]# mkdir -p /srv/salt/app
[root@salt-master ~]# cd /srv/salt/app
[root@salt-master app]# cat apache.sls
apache-install:
pkg.installed:
- name: httpd
apache-start:
service.running:
- name: httpd:
- enable: True
[root@salt-master app]# cat vsftpd.sls
vsftpd-install:
pkg.installed:
- name: vsftpd
vsftpd-start:
service.running:
- name: vsftpd
- enable: True
[root@salt-master app]# cat nginx.sls
nginx-install:
pkg.installed:
- name: nginx
nginx-start:
service.running:
- name: nginx
- enable: True
4.4、使用salt命令的state状态模块让minion应用配置
[root@salt-master app]# salt '*' state.sls app.vsftpd
[root@salt-master app]# salt 'salt-minion1-c7' state.sls app.apache
salt-minion1-c7:
----------
ID: apache-install
Function: pkg.installed
Name: httpd
Result: True
Comment: The following packages were installed/updated: httpd
Started: 22:00:16.727956
Duration: 5249.691 ms
Changes:
----------
httpd:
----------
new:
2.4.6-89.el7.centos
old:
httpd-tools:
----------
new:
2.4.6-89.el7.centos
old:
mailcap:
----------
new:
2.1.41-2.el7
old:
----------
ID: apache-start
Function: service.running
Name: httpd
Result: True
Comment: Service httpd has been enabled, and is running
Started: 22:00:22.840059
Duration: 642.933 ms
Changes:
----------
httpd:
True
Summary for salt-minion1-c7
------------
Succeeded: 2 (changed=2)
Failed: 0
------------
Total states run: 2
Total run time: 5.893 s
4.5、需求:不同的主机使用不同的配置 ==>使用salt高级状态模块
需要编写topfile,而且topfile必须放置在base环境中,本环境的base设置在/srv/salt
[root@salt-master salt]# cat top.sls
#base:
# '*':
# - app.vsftpd
#base:
# 'salt-minion*':
# - app.apache
base:
'salt-minion1-c7':
- app.nginx
'salt-minion2-c7':
- app.nginx
'salt-minion3-c7':
- app.apache
- app.vsftpd
'salt-minion4-c6':
- app.vsftpd
[root@salt-master salt]# salt '*' state.highstate
当正式执行之前我们可以干跑测试一下,没问题后在执行
[root@salt-master salt]# salt '*' state.highstate test=true
五、saltstack消息队列
SaltStack底层是基于ZeroMQ进行高效的网络通信,ZeroMQ支持Publish/Subscribe即发布与订阅模式,我们经常简称Pub/Sub。
[root@salt-master salt]# netstat -lntup Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1138/sshd tcp 0 0 0.0.0.0:4505 0.0.0.0:* LISTEN 26086/salt-master Z tcp 0 0 0.0.0.0:4506 0.0.0.0:* LISTEN 26092/salt-master M tcp6 0 0 :::22 :::* LISTEN 1138/sshd udp 0 0 127.0.0.1:323 0.0.0.0:* 562/chronyd udp6 0 0 ::1:323 :::* 562/chronyd
master上运行着两种网络服务:
1)ZeroMQ PUB 消息发布与订阅系统,监听4505(可以修改/etc/salt/master配置文件的publish_port参数设置端口),主要用于master对minion发布命令
[root@salt-master salt]# lsof -ni:4505 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME /usr/bin/ 26086 root 16u IPv4 77189 0t0 TCP *:4505 (LISTEN) /usr/bin/ 26086 root 18u IPv4 77811 0t0 TCP 10.0.0.11:4505->10.0.0.23:36192 (ESTABLISHED) /usr/bin/ 26086 root 19u IPv4 78053 0t0 TCP 10.0.0.11:4505->10.0.0.22:56022 (ESTABLISHED) /usr/bin/ 26086 root 20u IPv4 80352 0t0 TCP 10.0.0.11:4505->10.0.0.24:46243 (ESTABLISHED) /usr/bin/ 26086 root 21u IPv4 80354 0t0 TCP 10.0.0.11:4505->10.0.0.21:40330 (ESTABLISHED)
2)ZeroMQ REP系统(Request-Reply请求与响应模式),默认就监听4606(可以修改/etc/salt/master配置文件的ret_port参数设置),主要用于master接受minion执行后的返回值
master上进程方式:
[root@salt-master ~]# ps aux | grep salt root 26071 0.0 4.1 389608 41244 ? Ss 21:49 0:00 /usr/bin/python /usr/bin/salt-master ProcessManager root 26081 0.0 2.0 326236 20376 ? S 21:49 0:00 /usr/bin/python /usr/bin/salt-master MultiprocessingLoggingQueue root 26086 0.0 3.4 470324 34832 ? Sl 21:49 0:00 /usr/bin/python /usr/bin/salt-master ZeroMQPubServerChannel root 26087 0.0 4.8 403536 48808 ? S 21:49 0:00 /usr/bin/python /usr/bin/salt-master EventPublisher root 26090 0.1 6.8 422092 68924 ? S 21:49 0:05 /usr/bin/python /usr/bin/salt-master Maintenance root 26091 0.0 3.5 389476 35112 ? S 21:49 0:00 /usr/bin/python /usr/bin/salt-master ReqServer_ProcessManager root 26092 0.0 3.6 766332 36104 ? Sl 21:49 0:00 /usr/bin/python /usr/bin/salt-master MWorkerQueue root 26093 0.0 5.7 573876 57520 ? Sl 21:49 0:01 /usr/bin/python /usr/bin/salt-master MWorker-0 root 26094 0.0 5.7 574856 57472 ? Sl 21:49 0:01 /usr/bin/python /usr/bin/salt-master MWorker-1 root 26101 0.0 5.8 575396 58768 ? Sl 21:49 0:01 /usr/bin/python /usr/bin/salt-master MWorker-2 root 26102 0.0 5.8 574860 58316 ? Sl 21:49 0:01 /usr/bin/python /usr/bin/salt-master MWorker-3 root 26103 0.0 5.5 491548 55980 ? Sl 21:49 0:01 /usr/bin/python /usr/bin/salt-master MWorker-4 root 26104 0.1 3.5 463340 35492 ? Sl 21:49 0:05 /usr/bin/python /usr/bin/salt-master FileserverUpdate root 30250 0.0 0.0 112660 972 pts/1 R+ 22:39 0:00 grep --color=auto salt
六、saltstack常用配置
6.1、master常用配置(/etc/salt/master)
interface: #指定bind 的地址(默认为0.0.0.0)
publish_port: #指定发布端口(默认为4505)
ret_port: #指定结果返回端⼝, 与minion配置文件中的master_port对应(默认为4506)
user: #指定master进程的运行用户,如果调整, 则需要调整部分目录的权限(默认为root)
timeout: #指定timeout时间, 如果minion规模庞大或网络状况不好,建议增大该值(默认5s)
keep_jobs: #minion执行结果返回master, master会缓存到本地的cachedir目录,该参数指定缓存多长时间,可查看之间执行结果会占用磁盘空间(默认为24h)
job_cache: #master是否缓存执行结果,如果规模庞⼤(超过5000台),建议使用其他方式来存储jobs,关闭本选项(默认为True)
file_recv : #是否允许minion传送文件到master 上(默认是Flase)
file_roots: #指定file server目录, 默认为:
file_roots:
base:
- /srv/salt
pillar_roots : #指定pillar目录, 默认为:
pillar_roots:
base:
- /srv/pillar
log_level: #日志级别,支持的日志级别有'garbage', 'trace', 'debug', info', 'warning', 'error', ‘critical ’ ( 默认为’warning’)
6.2、minion端常用配置(/etc/salt/minion)
master: #指定master 主机(默认为salt) master_port: #指定认证和执⾏结果发送到master的哪个端⼝, 与master配置⽂件中的ret_port对应(默认为4506) id: #指定本minion的标识, salt内部使⽤id作为标识(默认为主机名) user: #指定运⾏minion的⽤户.由于安装包,启动服务等操作需要特权⽤户, 推荐使⽤root( 默认为root) cache_jobs : #minion是否缓存执⾏结果(默认为False) backup_mode: #在⽂件操作(file.managed 或file.recurse) 时, 如果⽂件发⽣变更,指定备份目录.当前有效 providers : #指定模块对应的providers, 如在RHEL系列中, pkg对应的providers 是yumpkg5 renderer: #指定配置管理系统中的渲染器(默认值为:yaml_jinja ) file_client : #指定file clinet 默认去哪⾥(remote 或local) 寻找⽂件(默认值为remote) loglevel: #指定⽇志级别(默认为warning) tcp_keepalive : #minion 是否与master 保持keepalive 检查, zeromq3(默认为True)